%% Protocol vulnerabilities
\section{Protocol vulnerabilities}
In the next two sections we will focus on attacks based on flaws in the GSM
call-establishment protocol. These are active attacks, meaning that they require
the attacker to also transmit while tapped into the communication, instead of
just listening passively. Thus, increasing the risk of him being detected.
However, the advantages of active attacks are interesting and will be discussed
in the next section.

Through these flaws the attacker can compromise any GSM encrypted communication
by forcing the mobile phone to use the weak $A5/2$ cipher. The only prerequisite
is that the target mobile phone supports the weak cipher. This even applies if
the network is using the stronger $A5/3$ cipher.

The protocol flaws used by the attacks are:
\begin{enumerate}
  \item The network is in total control regarding whether to use the
  authentication and key agreement protocol, or not. If no authentication is
  used, $K_c$ stays the same as in the previous conversation. The mobile phone
  cannot request authentication.
  \item Even during authentication only the mobile phone needs to authenticate
  its identity to the network. No mechanism is defined that requires the network
  to authenticate itself to the mobile phone. This is a serious flaw, as it
  makes it possible for the attacker to use a fake base station to emulate the
  network.
  \item The networks chooses the encryption algorithm to be used -- or not to
  encrypt at all. The mobile phone sends a message containing a list of its
  supported ciphers to the network. This message is called the 'class-mark'. It
  should be noted that some mobile phones alert the user if no encryption is
  used for communication.
  \item The class-mark message is not encryption and can be modified by an
  attacker.
  \item No key-separation exists. This means that the same key-agreement
  protocol is used, independently of which encryption algorithm or method of
  communication is used. Therefore, $K_c$ always depends only on $RAND$, which
  is chosen by the network. This applies regardless of which cipher is used
  ($A5/1$, $A5/2$, or $A5/3$).
  \item The reuse of $RAND$ is allowed. This means that the network can choose
  to use the same $RAND$ as many times as it wishes.
\end{enumerate}

\section{Active attacks}
One major advantage of these types of attacks is that an attacker can tap into
the communication between the mobile phone and the network with the same time
complexity of breaking $A5/2$. We will describe this in more detail later.

Another advantage is that the attacker can impersonate the network by exploiting
the second flaw described in the previous section. With a fake base station he
can make the mobile phone think that his network is the real network, and
command the mobile phone to use high power for transmission, to reduce the risk
of reception errors. When he has obtained enough data, he can then command the
mobile phone to reduce its transmission power to normal, to reduce the risks of
detection.

Finally, the attacker can freely choose which channel to use -- including the
time slot in the TDMA frame allocated to the mobile phone. This allows him to
reduce the complexity of the attack. Alternatively, the attacker could wait
before he commands the mobile phone to start using encryption, and thus be
prepared for a specific encrypted TDMA frame number that is convenient for him.

\subsection{Class-mark attack}
As mentioned in the previous section, the class-mark message, which notifies the
network which ciphers the mobile phone supports, is not protected and can be
modified by an attacker at the beginning of a conversation. The attacker can
accomplish this in several ways:
\begin{enumerate}
  \item The attacker can transmit a class-mark message of his choice using a
  stronger radio signal at the same time as the victim transmits its class-mark
  message. This will override the victim's transmission, and the cell tower will
  receive the attacker's transmission.
  \item The attacker can perform a man-in-the-middle attack with a fake base
  station to get in-between the mobile phone and the cell tower, resulting in
  all communication between the two passes through him. He can then modify the
  class-mark message as he wishes.
\end{enumerate}

A clever choice would be for the attacker to change the class-mark message to
say that only the weaker $A5/2$ cipher is supported. This would force the
network to use the weaker cipher for communication. The attacker could then
decrypt the conversation by performing the cryptanalysis of $A5/2$.

It is worth noticing that this form of attack can easily be spotted by the
network, and prevented by insisting on using the $A5/1$ cipher, or simply
dropping the conversation.

\subsection{The phone as an oracle}
The idea behind the next two attacks utilizes the two flaws from the previous
section regarding the lack of mandatory authentication of the network to the
mobile phone, and the fact that there is no key separation. The attacker can
impersonate the network and instruct the mobile phone to use the weaker $A5/2$
cipher, and retrieve $K_c$ by executing the instant ciphertext-only attack on
$A5/2$. As there is no key separation, $K_c$ is the same key used for the
stronger cipher.
\begin{quotation}
  \noindent{\textit{``Thus, the phone with $A5/2$ acts as an oracle for
  retrieving $K_c$.''}}\footnote{By E. Barkan, E. Biham, and N. Keller,
  \textit{Instant Ciphertext-Only Cryptanalysis of GSM Encrypted
  Communications}, 2003, page 21.}
\end{quotation}
This can exploited by an attacker who recorded an encrypted conversation in the
past, with different encryption keys. The network can choose not to perform the
key-agreement protocol for every conversation, so the encryption key might be
the same during a few adjacent conversations. The attacker impersonates the
network and initiates an authentication procedure using the same $RAND$ value
that was used in the recorded conversation. The victim's mobile phone returns
the corresponding $SRES$ value, which will be identical to the $SRES$ value of
the recorded conversation.

The attacker then commands the mobile phone to begin encryption using $A5/2$.
The mobile phone acknowledges by sending a message encrypted under the same
$K_c$ that was used in the recorded conversation. This is because $K_c$ is a
function of $RAND$, and as the $RAND$ values are identical, so will the $K_c$'s.
The attacker retrieves $K_c$ by executing the instant ciphertext-only attack on
$A5/2$, and can repeat the attack for all the values of $RAND$ that appear in
the recorded conversation.

\subsection{Man-in-the-middle attack}
This type of attack requires the attacker to both impersonate the network to the
mobile phone, and the mobile phone to the network. This places the attacker in a
position in-between the two, making it possible for him to look at or alter the
communication going both ways.

When the network tries to authenticate the phone, the attacker forwards the
request to the victim's mobile phone. The phone computes the $SRES$ and returns
it to the attacker. But before the attacker forwards the response, he commands
the phone to start encryption of the conversation using the weak $A5/2$ cipher.
The phone complies and sends an encrypted acknowledgement to the attacker. The
attacker is now able to find $K_c$ in less than a second by using the instant
ciphertext-only attack on $A5/2$. This small delay in the authentication
procedure is not an issue, as the GSM standard allows up to 12 seconds of delay
for the mobile phone to compute and return an answer.

Now the attacker forwards the response containing the $SRES$ computed by the
victim's mobile phone to the network. The network demands the attacker to begin
encryption of the conversation using the ``stronger" $A5/1$ cipher, and so he
does, as he already know $K_c$ and thus can send the response encrypted using
$A5/1$ under the correct $K_c$. From this point on the attacker is authenticated
to the network and can continue to oversee or modify the conversation as he
pleases. He can even make sure that the mobile phone does not change back to a
non-fake base station by informing the phone that no other base station is in
range, except the fake one.

An interesting point is, that this attack is also possible when using $A5/3$, as
long as the mobile phone supports and the network permits the use of the $A5/2$
cipher.

% The following paragraph can be omitted if out of space
The reply from above containing the encrypted acknowledgement from the phone
to notify the network that it starts encrypting the conversation is called
'CIPHMODCOM'. For the attacker to be able to perform the attack described above,
the CIPHMODCOM message must contain a large enough amount of information to
mount the instant ciphertext-only attack on $A5/2$. After error-correction
coding this message is 456 bits long. But the attack requires two of such
messages to get the necessary bits of information. To obtain this, the attacker
can wait for the retransmission mechanism of the mobile phone to retransmit the
CIPHMODCOM message. As a result, the attacker now has the same message twice,
but encrypted differently (under a different frame number). Only 1 message bit
is flipped to indicate that it is a retransmission, and thus the attacker gains
184 extra bits of information, which he can express as 184 extra equations for
the instant ciphertext-only attack.
